Gorzkowicz says change could open up resources, target vulnerabilities
STATE HOUSE, OCT. 30, 2025…..Cities and towns would be required under a plan from Gov. Maura Healey to let the state know of any cybersecurity incidents like hacks and data breaches, a proposed mandate that state officials hope will lead to a better picture of the cyber threats confronting the Bay State.
Cybersecurity has been a growing concern for Beacon Hill and many Massachusetts municipalities have already been stung by ransomware, hacking and other malicious cyber breaches. In 2020, NBC Boston reported that at least one in six Massachusetts communities had been infected by ransomware, dozens of which negotiated with or paid their attackers.
The governor’s so-called Municipal Empowerment Act (H 56) includes a section that would require cities, towns and districts to report known cybersecurity incidents to the Executive Office of Technology Services and Security’s Security Operations Center. EOTSS regulations would define what would constitute a “known cybersecurity incident” and prescribe the process for municipalities to report incidents.
“A lot of these cities and towns need some additional help, and we think by this, doing this reporting and having EOTSS get involved, we can open up more resources, make it available to them. But also it’s beneficial to us because we can step back and, from a statewide perspective, know where we have vulnerabilities with other cities and towns, or even within the commonwealth, to be able to button it up,” Administration and Finance Secretary Matthew Gorzkowicz said Tuesday. “So we think it’s a win-win to have that reporting mechanism in place. We can provide resources that they may not have … while at the same time benefiting from learning about the different attacks so we can safeguard ourselves.”
In 2019, Technology Services and Security Secretary Curt Wood told lawmakers the state’s computer network was being “probed” more than half a billion times each day by entities outside the United States looking for a weak spot in the state’s cyber protections. “Every day, we have attacks,” he said.
Lt. Gov. Kim Driscoll, a former longtime mayor, told the Municipalities and Regional Government Committee on Tuesday that the administration has been “plowing the field” to help municipalities learn how they can combine forces on cybersecurity and noted about $13 million in state grant funding recently put towards those efforts. The state does not oversee cybersecurity for cities and town, but the lieutenant governor said the state is their lifeline “when they find themselves in the midst of either a cybersecurity attack or, frankly, even an IT failure that may not be from a nefarious source.”
“There’s no small city that can manage this alone. Even the bigger cities, frankly, can challenge us. I mean, we’re constantly being challenged as a state with phishing attacks and new ways people are finding ways in back doors and things like that,” Driscoll said. “So, for us, this is a true partnership, and I think this part of the bill will only help strengthen that.”
Sen. Becca Rausch, the Needham Democrat who co-chairs the committee, and Spencer Republican Sen. Peter Durant pressed the administration most around the costs both the state and municipalities will incur from mandating cybersecurity reporting. Gorzkowicz said EOTSS “is absorbing this with existing resources.”
“They already, to some degree, to provide technical assistance to municipalities and work with them on a regular basis. This is just getting more consistent reporting. Like I said, some cities and towns chose to report to EOTSS and took advantage of those. Others did not. And so this really makes it more of a mandated reporting structure where we can get that information and have better information,” he said. “And it was important for EOTSS because, again, it gives them better information to be able to prepare their assistance and programming for municipalities.”
